You are here

November 5, 2015, Trial News

Data breach case against Coca-Cola moves forward

Kate Halloran

Credit:
Hattanas / Shutterstock.com

A federal court has allowed a data breach action against Coca-Cola involving the theft of 55 laptops that contained 74,000 employees’ personal information to proceed. The Eastern District of Pennsylvania found that the plaintiff had Article III standing and allowed claims of breach of contract and unjust enrichment to proceed, but the court dismissed claims for negligence, fraud, negligent misrepresentation, and violation of the Driver’s Privacy Protection Act, among others. The case is another in a string of data breach suits nationwide in which personally identifiable information was potentially compromised.

A federal court has allowed a data breach action against Coca-Cola involving the theft of 55 laptops that contained 74,000 employees’ personal information to proceed. The Eastern District of Pennsylvania found that the plaintiff had Article III standing and allowed claims of breach of contract and unjust enrichment to proceed, but the court dismissed claims for negligence, fraud, negligent misrepresentation, and violation of the Driver’s Privacy Protection Act, among others. The case is another in a string of data breach suits nationwide in which personally identifiable information (PII) was potentially compromised. (Enslin v. Coca-Cola Co., 2015 WL 5729241 (E.D. Pa. Sept. 29, 2015).)

Between 2007 and 2013, the laptops were stolen from Keystone Coca-Cola Bottling Co., which was acquired by Coca-Cola Enterprises and then the Coca-Cola Co. as a subsidiary. The theft was not discovered until late 2013, and all the laptops were eventually recovered. A Coca-Cola Enterprises employee, Thomas William Rogers, was arrested for the theft in 2014 and has been charged with felony and misdemeanor theft. The plaintiff in the civil action, Shane Enslin, alleged that his identity was stolen from information on the laptops, including his Social Security number, driver’s license and motor vehicle records, and bank and credit card numbers that he provided to Keystone when he was employed as a service technician from 1996 to 2007.

The plaintiff received a letter from the defendants in 2014 stating that the laptops had been stolen and that his personal information may have been compromised. Throughout that year, the plaintiff claimed, money was stolen from his bank account and unauthorized purchases were charged to his credit cards. He also alleged that his name was fraudulently used to obtain a job with the United Parcel Service and to open new credit card accounts.

The defendants argued that Enslin did not have Article III standing to bring the action because he did not establish an injury-in-fact or a causal connection between the loss of the laptops and his identity theft. The court disagreed, finding that the “plaintiff’s harms are not ‘future harms,’ but are ongoing, present, distinct, and palpable.” Although other courts have refused to find standing for loss of PII if the information has not yet been used, the plaintiff in this case already suffered harm when his identity and financial information were misused. Turning to whether a causal connection existed between the laptop theft and the plaintiff’s injuries, the court found that despite seven years passing between the first laptop thefts and the misuse of the plaintiff’s data, the connection was plausible enough to meet the standing requirements. The chain from the plaintiff’s PII being present on the laptops, to the laptop thefts, and then to the plaintiff’s identity theft was sufficiently strong for this stage of the proceedings, because the defendants were in control of the information that was misused and the misuse is “fairly traceable” to their failure to safeguard the laptops.

The court held that even with standing, the plaintiff failed to state a claim on most counts, but his allegations for breach of contract and restitution for unjust enrichment were allowed. Enslin alleged that his employment contract with the defendants required him to provide the personal information that was compromised, and that the companies’ privacy and security policies implied that his PII would be appropriately protected. He also claimed that the defendants’ failure to adequately protect the laptops and employees’ PII resulted in cost savings for the company.

Data breaches have affected millions of Americans and occur in both the private and public sectors—from large retailers (Target and Neiman Marcus) to health care providers (Anthem) to software companies (Adobe) to the federal government (Office of Personnel Management). Plaintiffs have met with varying levels of success, and typically face Article III standing challenges. Defendants often argue that plaintiffs have not suffered a sufficiently concrete injury when their personal data has been released but has not yet been used fraudulently. Some courts have rejected this argument: In a data breach class action against Neiman Marcus, the Seventh Circuit stated that injured consumers should not have to wait until their data is misused to have standing to bring an action, as Trial News previously reported. The issue of whether Article III standing applies in cases where the plaintiff alleges a statutory violation without a concrete injury—and more broadly, what constitutes an “injury”—is currently before the U.S. Supreme Court in Spokeo, Inc. v. Robins, and may have implications for data breach cases. The Court heard oral arguments in the case on Nov. 2.